Summary:
January 10, 2024, Ivanti published an advisory regarding two vulnerabilities (CVE-2023-46805 and CVE-2024-21887) that impact all supported versions of the Connect Secure (formerly known as Pulse Connect Secure) and Policy Secure gateways. CVE-2023-46805 is an authentication bypass vulnerability, and CVE-2024-21887 is a command injection vulnerability. Exploiting the vulnerabilities in tandem enables threat actors to execute arbitrary commands to steal configuration data, modify existing files, download files, and create a reverse tunnel from the VPN server.
Security researchers at Volexity identified exploitation of these vulnerabilities to deploy web shells and harvest credentials. The researchers linked this activity to a Chinese state-sponsored threat actor dubbed UTA0178. Additional research by Volexity revealed evidence that more than 1,700 appliances have been compromised by UTA0178 and other threat actors via indiscriminate targeting of organizations predominantly in the U.S., but also across Europe, China, and India.
Recommended actions:
Our Security Partner (Secureworks Counter Threat Unit researchers) recommend that customers review the vendor advisory and apply the mitigations as appropriate in their environments until patches are available.
Questions:
If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk
References:
- KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways
- Recovery Steps Related to CVE-2023-46805 and CVE-2024-21887 (ivanti.com)
- Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity
- Ivanti Releases Security Update for Connect Secure and Policy Secure Gateways | CISA
- NVD – CVE-2023-46805 (nist.gov)
- NVD – CVE-2024-21887 (nist.gov)